ARP poisoning is the deliberate mapping of an incorrect MAC address to a correct IP address. It is used to redirect traffic for malicious purposes and is the most common spoofing mechanism used on Ethernet and Wi-Fi networks. It allows an attacker to insert themselves in a man-in-the-middle attack between two legitimate hosts.
In TCP/IP, a packet cannot simply have a destination IP address before it is transmitted on a multi-access network. It must also have a corresponding OSI Layer 2 address. On Ethernet and Wi-Fi networks, this would be a MAC address. A host can use name resolution to look up a destination's IP address, but it must also use ARP to learn the MAC address. Once the MAC-to-IP mapping is determined, that information is stored in the host's ARP cache. Because the other devices can change their IP address, entries in the ARP cache age out and are updated every few minutes.
Unless you hard-code MAC-to-IP address mappings on your network, the relationship between a MAC address and an IP address is expected to be fluid and change. An attacker can take advantage of this in several ways:
- You can send out a continuous stream of fake ARP replies declaring to the entire segment that your MAC is the correct one for the target IP address. In this way, when hosts intend to send a packet to the target, they are actually sending it to you.
- You can send out a continuous stream of fake ARP replies declaring that your MAC address is the correct one for the default gateway (router). Any host wishing to send traffic to another network, including the Internet, must send it to you.
- You can poison the MAC table of a switch with fake ARP replies so that it associates your victim's MAC addresses to your switch port. Whenever the switch receives traffic destined for your victim, it will not only forward it out the switch port that the victim is connected to, but it will also forward a copy out your port.
If you wish to insert yourself between two hosts in a man-in-the-middle attack, you must poison the ARP cache of both hosts. In this way, they will communicate with each other through you. They will not realize that you are relaying all messages while capturing a copy for yourself. Because you are constantly streaming the spoofed MAC address to your victims, they never feel the need to perform their own ARP broadcast. They think they already have the mapping. When you stop ARP poisoning, the two hosts will eventually age your spoofed entries out of their ARP caches and learn each other's correct MAC address. This process can take up to 10 minutes, unless you reboot the machines or manually clear their ARP caches.
ARP poisoning has its limits. Because you are spoofing Layer 2 addresses, the poisoner must be on the same network segment as the victims. If the victims are on another subnet, or on a remote network, you cannot conduct ARP poisoning against them. Similarly, if you are on a network that does not use MAC addresses, such as ATM, dial-up, or synchronous serial WAN links, ARP poisoning is useless.
ARP Poisoning Tools
Several tools can perform ARP poisoning, including:
- Metasploit auxiliary/spoof/arp/arp_poisoning
- Cain & Abel
Some tools have other functionality built into them. For example, Cain & Abel can ARP poison, sniff the network, capture login sessions using a wide variety of protocols, crack intercepted encrypted passwords, record VoIP conversations, and more. The only effective way to defend against ARP poisoning is to hard-code all MAC-to-IP or MAC-to-switchport mappings. You can create manual entries in the various devices and on the switch.